The username, password, and url should never be stored plaintext in a variable, especially in java. Let that be a lesson to all.
The proplem here not with java at all, it is due to the fact the an applet was used, thus the code is sent to the client, same as if one had used javascript as their access control system. If this had writen in as jsp pages ie server side authentifcation then there would not have been a proplem, as you cant gain access to the source code. but like you said passwords should not stored in plain texted, they should be hashed.

SittingDuck